The Open Banking Standard

A proposal for The UK Open Banking Standard has been released.

The Treasury is committed to “an open standard for Application Programming Interfaces in UK banking” which it believes will empower customers with “more control over their data” whilst making it easier for companies to use data ” in a variety of helpful and innovative ways.” To achieve this the Open Banking Working Group (OBWG) was set up to “produce a detailed framework for how an Open Banking Standard could be designed and delivered, with a timetable for achieving this.” Today they released that report.

Why is banking a concern?

According to the Open Banking Working Group “Banking as a service has long sat at the heart of the economy because of the need to seamlessly and efficiently connect different economic agents who are buying and selling goods and services.” Staying at the forefront of global banking is a target for the current government.

Potential problems.

In short, Trust.

“Trust will remain the single most important factor in determining how those different means of connecting will be made beneficial. Our challenge has been to determine how best to enable high security (a critical foundation to building and maintaining trust) while not impeding development in a rapidly changing world… This standard will only be as good as the trust that all of the participants required to make it successful have in it; that will ultimately rely on the trust of individuals and businesses.”

It seems that the OBWG have failed to identify the ways in which blockchain technology can remove trust from these situations. Perhaps this will be highlighted in future reports as the technology matures and ways to implement it in a way that doesn’t require trust become more mainstream.

Will customers be forced to give up their data?

The EU is “rapidly advancing legislation that will, upon implementation in the next two years, require UK banks (subject to consent from individuals and businesses) to open access to their customer data and payments capabilities.”.

It is not clear as to whether companies will be able to offer services to people who do not wish to enter into the system, however it will be possible for users to set access to their data as closed.

“Any individual’s personal bank details or a company’s transaction data are considered closed or shared data. They will be made available via an open API as a result of the implementation of this work, but access to them would be subject to consent of the individual or business to whom the data belongs and specific governance related to that. Such data will not be licensed or made public as open data as a result of this work… Data exists on a spectrum of accessibility. The data spectrum ranges from closed to shared to open. The data accessed via an open API may be closed, shared or open data.”

Summary of Key recommendations.

“An independent authority should be created, in collaboration with industry, to oversee development and deployment of the Open Banking Standard. Regulation is to be expected in any area of development where large amounts of personal data will be handled. This should be seen as a positive step in protecting consumers against malpractice from third parties.

The Open Banking API should be built as an open, federated and networked solution, as opposed to a centralised/hub-like approach. This echoes the design of the Web itself and enables far greater scope for innovation.A distributed network is bound to help this project to grow, be adopted more rapidly and develop into a more robust system than a centralised approach.

Customer transaction data (data that is presented to customers in their financial statements, including underlying transaction history, and data that relates to a customer’s account through which payments can be initiated) should be made available, with consent, via the Open Banking API as both customer-related data and aggregated data. The mention of aggregated data here is important, this data will be a valuable asset to whichever company is permitted access by users. Expect to see special offers / rates for those users willing to allow 3rd party access to aggregated data.

Protocols will be developed and shared with all participants in the Open Banking Standard to ensure that redactions in data that is shared via the open APIs are truly exceptional, based on specific risk considerations. Further work will be needed to explore the extent of redaction and what alternatives may be available.

The Independent Authority would vet third parties, accredit solutions and publish its outcome through a whitelist of approved third parties. Again this should protect consumers from malicious 3rd parties.

The Open Banking Standard will be made available under a licence that permits it to be freely used, reused and distributed. This is a positive and forward thinking approach which will foster rapid development in other industries where this type of system can be developed. Furthermore it will aid in developing the security of the system by utilising many developers to detect vulnerabilities.

Permission to access data will only be granted on the basis of informed customer consent, will be subject to constraints (e.g. duration or transaction size) and must be able to be revoked by the customer as easily as they were granted, or, if required for objective reasons, the data attribute provider.

Permission to both “read” and “write” certain data should be granted to third parties via the open API.”